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(54) Title: A DISTRIBUTED SYSTEM AND METHOD FOR SYSTEM IDENTIFICATION AND VULNERABILITY SCANNING 
(57) Abstract' . ■ \. T;' ' • 

:'" A system and method for a distributed system for 
identification of network access points into a secure network. 
The system and rriethod include: a means for dialing a plurality 
of telephone numbers (310, 308, 306) and logging results for 
each telephone number; a means for remotely managing the 
means for dialing (312, 314), and a means for reporting the 
results for each telephone number (422), The system may 
also include a means (300. 302, 304) for identification of the^ 
network access points by detecting Point to Point Protocol 
(???) and password guessing in an attempt to gain access to . 
the communications resource. The system can also include 
a means for identification of the network access points by 
detecting binary and/or text signatures. The system can also 
include a means (310, 308, 306) for dialing at least two ■ 
telephone numbers at the same time. The system can also 
include remotely dialing local telephone numbers. The system . 
can also include reporting changes in dial up access points since 
a previous scan. 
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A DISTRIBUTED SYSTEM AND METHOD FOR SYSTEM 
IDENTIFICATION AND VULNERABILITY SCANNING 

TECHNICAL FIELD 

The invention relates generally to telecommunications access control systems and 
particularly to a telephony system for identifying systems and vulnerability scanning for 
- '. secure networks. . 

5 BACKGROUND 

Firewalls have proven effective in protecting the perimeter of computer data 
networks and are now considered to be essential network components. However, firewalls 
and intrusion detection devices provide no protection against unauthorized traffic routed to 
or from the network through devices such as modems. 

10 Most organizatioitis protect authorized modem access to their computer networks 

with authentication and encryption technologies, bundled into Remote Access Services 
(RAS). However/organizations recognize the very real and growing threat posed by 
. unauthorized access to the network through rogue modems, easily connected to nearly any of 
its voice or fax lines. Security sawy organizations are becoming increasingly effective in . 

15 protecting computer access to their networks; and at the same time, acutely aware of the 

threats posed by lack of security over access to the same networks through their hundreds or , 

. : even thousands of uncontrolled, unmonitored telephone lines. 

Modems and fax machines connected to an organization's data network can be 
installed by individuals with either malicious or benign intentions. Nearly any individual 

20 can easDy connect a modem to an existing PC and/or telephone or facsimile line. Once 
connected, the device effectively bridges the "untnisted" Public Switched Telephone 
Network (PSTN) to an organization's "trusted" data network. Each bridge can be thought 
of as an unmonitored, uncontrolled connection to the Internet, or "untrusted" network. An 
individual with benign intentions might utilize this access to the data network to 

25 : xmknowingly upload data containing dangerous viruses, bypassing the protection and logging 
provided by a firewall. More importantly, individuals having malicious intent can e:q)loit 
: this same bridge to the "trusted" data network. Hackers and phreakers will often wardial to 
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find these bridges, then gain access to the data network potentially stealing and/or - 
destroying vgQiiable date behind 

Interestingly, the same tools that are used to exploit security are also used routinely 
; by security professionals to help secure their private data networks by locating, identifying 
5 and testing the security configuratio^^^^ 

Though a handful of commercially produced wiardialers have emerged oyer the past 
several yeaors, the basic theme of operation has not changed for more than twentyyears. 
Wardialers remain standalone applications, dialing ranges of nxmibers, identifying those with 
carriers, and in some more sophisticated cases, attempting 
10 software at the other end; for instance, PC Anywhere, NT RAS, or simply a ATTIOO emulated 

shell/: •■'■;;--\.\.;V:^^ ..:';V;. ; '../..V.- ^- ■ ^'^ : : ■ ^' ' ' ■ 

The fact that a large portion of an organizatw^ 
; not completely escaped the attention of savvj^ security Managers. This is especially 

significant when you consider the sheer number of telecpm^^ "pipes" that are 

15 connected to an organization's network. The extraordinarily low cost and knowledge barrier 
associated with modem technology today exacerbates the problem of unsecured modems 
discussed above. Almost anyone can simply connect a modem to a PC on the trusted data 
network, effectively bridging the trusted network to the untrusted PSTN. Periodic scanning 
of the telephone network is now generally recognized as a necessary component of a 
20 corporate security policy. In fact, a significant number of organizations have begun using a 
; variety of ad-hoc tools to survey their telecommunication security posture. 

Cxirrently, the data security market is focused primarily on LAN, WAN, and Internet 
security. Traditional firewalls generally protect TCP/IP-based networks (o^ 
based protocol fietwprks), attempting to restrict access and to protect data on networks 
25 behind them. Most, however, are focused on protecting the "front^door" (the Internet) while 
ignoring the "back door; side door and windows" (the telecommunicatipiis access to the data 
■; network).'. .;- ■- ^ : V ■ - 

Initially, the only tools available to security professionals were wardialers that weire 
originally developed by underground "hackers" and telephone "phreaker^." There are a : 
30 number of problems associated with the.use of a product developed and intended largely for 
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' malidcms purposes. The primary problem is that the software was not developed and t^^ 
. ■ using acceptable levels of engineering discipline. Furthermore, those types of applications 
may even contain undocumented features, Trojan Horses or computer viruses. For a long 
/ time, there were no companies in the industry producing comniercially developed wardialers. 
5 Security professionals were forced to rely on untested and unproven tools because they often 
were not in a position to develop the tools themselves or contract another company to 
develop the tools professionally. This unfulfilled need spiuned the.development of security- 
centric and professionally developed telephone scanning products. 

Today, many wardialers are available to security professionals. Most of these 
1 0 software applications vary in complexity and were developed by individuals in the hacker 
community. Some available wardialers operate using a single computer and a single modem, 
while others can control midtiple modems simultaneo^ , 
multiple modem control future to the security professional is the decrease in time required 
to complete a sweep of several hundred or more telephone lines. Although able to dial 
15 multiple modems simultaneously, multiple modem systems are not cost effective when used 
on a large, geographically separated organization due to the cost of extend 
dialing required to accomplish a complete scan of the enterprise. Additionally, since existing 
systeins do not provide a distributed solution, the results from multiple, independent sc^ 
from geographically separate sites must be . 
20 manually analyzed and compared to ascertain the complete corporate security posture. 

Therefore, a dependable, user friendly, scalable, andreliable system andmethodfor 
identifying systems and vulnerability scanning for secure networks is needed to fill these 
- .;, needs. :•. ''''^'r' -- ):/ ' V .-^ ■ ; '.. ''''*": ^ 

SUMMARY OF THE INVENTION 
25 The present invention is a software application and architecture that expands 

traditional wardialing ftlnctaonality to include ^stetn identification and vulnerability 
scanning, while providing large scale distributed and parallel execution through a client- 
server architecture. In this fashion, an organization can reduce costs and effectively leverage 
security expertise across then: enterprise. Currently, security professionals have a limited 
30 / set of reliable, professionally developed scanning products to use to characterize their 
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telecommunications security posture. A pressing need exists to develop a commercial grade .: 
wardialer with enhanced functionality. / . ' 

The present invention is a telecoinmunic^tions scanner; whi^ 
dialing and vulnerability assessment functions for telephonic networks. The present \ 
5 . invention provides an important fundairieiital benefit in that it provides visibility into the 
ejdstenc^ of rogue modem? and characterizations - 
logging the vidnerability stat6 of modems connected 

provides visibility into the usage of telecomihunicatipiis resources, thereby enhancing an 
organization's abiUty to more completely assess their se^ This enables the 

10 organization's decision-makers to evaluate, monitor and improve security policies, which 
include telecommunication resources. In addition to the visibil^^ , 
, communicatipn events, the present invention is capiable of automatically detecting and 

. identifying the software controlling the modem, and testing its configuration to determine 
; its security posture. The visibility provided goes beyond merely logging the existence of 

15 modems connecting the PSTN to the trusted data network. The scanning system is capable 
of detecting changes in the number and security state of modems that have occurred since 
the last "sweep". The present invention detects, analyzes and reports the potential - 
vulnerability of each and every telephone station, fax machine, and modem line in the 
enterprise at a discrete point in time/ Use of its "compare" featiire allows security ' 

20 professionals to compare the results from several discrete assessments, to detec 
viilnerability trends. 

The present invention is a client/server solution for telecommunication vulnerabiUty . . 
assessment. In this design, the server is the Manager and the client is the Dialer. The 
Manager is used to configure the rule set for dialing and then receive, display and inte^^ 
25 the resxilts. The Manager develops dialing profiles and then pushes those profiles to Dialers 
forexecution. Each Dialer operates one or more modems to perfonn each diaHng task as 
defined by the Manager. It categorizes each phone line dialed as voice, fax or modem and ^ 
marks uncompleted calls such as busy .or no answer to be called a^ 
^- V- • -.dialingpolicy. " •;■ 

30 For large brgaiiizations, which may be geographically separated, the present 
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. ; . invention can consist of multiple Dialers and Managers, interconnected by a LANAVAN or 
the Internet itself, thus providing remote, centrally managed enterprise-wide 
characterization of the organization's telephony security postur ; 
In one embodiment, a system and method for a distributed system for identification of 

5 network access points into a secure network is provided.. The sys[tem and method includes: a 
meians for dialing a plurality of telephone numbers and logging results for each telephone 
number; a means for remotely managing the means for dialing; and a means for reporting 
the results for each telephone number. The system may also include a means for 
identification of the network access points by detecting Point to Poin^ 

10 password guessing in an attempt to gain access to the communications resource, Th^ system 
can also include a means for identification of the network access points by detecting binary 
and/or text signatures. The system can also include a means for dialing at least two 
. telephone numbers at the same time. The system can also include remotely dialing local 
telephone numbers; The system can also include reporting changes in dialup access points 

15 since a previous scan. 

BRIEF DESCRIPTION OP THE DRAWINGS 

FIG. 1 is a fimctional block diagram of an exemplary communications network; 
. FIG. 2 is an architectural diagram of the preferred embodiment of the present 
invention showing a standalone configuration; 
. 20: FIG. 3 is an architectural diagram of the preferred embodiment of the present 

; invention showing a distributed configuration; 

FIG. 4 is a flow diagram illustrating the Manager portion of the system; 
PIG. 5 is a flow diagram illustrating the Dialer control interface portion of the 
.system; and • 

25 FIG. 6 is a flow diagram illustrating the Dialer p^^ , 

DETAILED DESCRIPTION 
\: One pfthefii^steps in seciurihg gm organization is locating ^ 
deteirodiiing how secure those access points are, then locking them down.- Insecure or 
misconfigured modems with an organization are security risks, potentially bypassing 
30 controls normally enforced by firewalls or similar securiiy devices. Security personnel must . 



Wp00/704S6 



PCTAJS99/22240 



be able to detect all modems and faxes first, and then make an additional determination as to 

' which ones are authorized and which ones are not. Once identified, security personnel can 
eliminate the unauthorized modems and manage the security configuration of the authorized 
modems. The preferred embodiment performs the identification piece by scaimirig the 
5 network for modems connected to the network, followed up with an a^^ 
modem?s security posture. - " . ' 

In.figure 1, an attacker 100 can access a communications network by either going 
through the Internet 102 or the Public Switched Telephone Network (PSTN) 104, The 
InteiTiet 102 cpimects to the internal network 106 throu^ 110. 

10 The router 108 routes all traffic into the internal network 106 from the Internet 102, as well 
as all traffic out to Inteniet 102. However, the firewall 110 has the power to restri 
traffic going in and out of the internal network 106. ■ 

Although the internal network 106 depicted in figure 1 has a firewall 110 to prevent 
unauthorized traffic, the attacker has another access point through the PSTN 104. A 

15 Remote Access Server (RAS) 120 connects a Private Branch eXchange (PBX) 114 to the 

internal network 106, but through the firewall 110. This configuration allows users remote 
access to the internal network, but does so securely since the user must go through the ; 
^ firewall 110. However, as depicted in figure 1, a user may have a modem 112 connected to 
his computer 122 and allow access into the internal network 106. In this scenario, the 

20 attacker 100 can use a wardialer to find the modem 112 connected to the internal network 
106 and then attempt to gain access throiigh the modem 112. The wardialer could also 
detect a telephone 116 and a fax machine 118, but is mainly interested in the modem 112, 

The scenario depicted in figure 1 shows how the security of an internal network can 
be threatened even though a firewall is installed to protect the network. 

25 Figure 2 shows the architecture of the standalone configuration of the present 

invention. The system consists of several modems 200 that dial phone numbers in order to 
detect other modems connected to a network. The modems 200 are controlled by a software 
program called a Dialer. The Dialer is described in more detail below in reference to figures 
5 and 6. In the standalone configuration of figure 2, a Dialer is run on a single computer 

30 along with the Manager portion of the present m^ 
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in detail below in reference to figure 4. 

The present invention includes dialing ranges of numbers, identifying modem an^^ 
fax carriers, and attempting to identify the communications application at the terniinating 
station through signature analysis (i.e. matching negotiation signaling and/or textual 
5 "Ibann 

After identifying the communications applicati^ 
' present invention attempts to establish a connection and test for security vuhxerabilities 
assodated with it, For example^ if the present invention deterim 

modem on a PC that is running PCAnjnvhere, it will attempt to gain access to the PC using 

10 default. PC Anywhere UserlD and Password combinations. Most wardialing applications do 
not offer this level of assessment The object of this extended capability is to confirm 
. potential vulnerabilities and characterize the level of security of telephony devices (primarily 
modems) in the same maimer that TCP/IP security scanners test for and characterize the 
sepurity posture of network devices. 

15 ; I)ue to theirdistributednature,.many organizations need to define, determine, 

^^^^ The 

preferred embodiment includes the ability to remotely manage administration, configuration 
and service. . Additionally, the present invention enables a large-scale organization to limit 
duplication of effort and ensure consistent application of security policy across a distributed 

20 organization. Although security systems are necessarily distributed, policy is usually 

dictated centrally. This requires an organization to control security devices in a top-down 
fashion. In order to assess the enterprise-wide security posture, detailed visibility into the 
entire organizational data stream is necessary. This detailed visibility is provided by 
collection at the device level, reporting up the management chain, and consolidating multiple 

25 reports at the Manager. 

The system architecture depicted in figure 3 supports distribution of the dialing 
software to remote locations, controlled and managed via TCP/IP 316 connections (e.g., over 
internal LANs, private WANs, or even over the Internet). To make the system as flexible as 
possible, one or more management GUIs are located on computers 312 and 314 and control 

30 one or more Dialers 306, 308 and 310 whether collocated on a single platform, or distributed 
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aroimd the globe via the Internet: Each Dialer 306, 308, and 310 has a set of modems 300, 
302, and 304 respectively, that can operate in parallel. With thi^ 

geographically separated organizations can leverage local dialing resources, executing very . 
large scale scans in parallel, then consolidating the results on-screen and in reports at a 
5 single logation. The advantages arie fast, extensive parallel execution and low cost since 
most, or all, calls are local in nature as opposed to the substantial cost of dialing long 
distance, In many cases, diedi^g <^ 

ever passing to the local carrier; an additional cost consideration when local calls are billed, 
as is the case in most European countries. In addition, although two Managers are shown, ' , . 
10. one Manager could also be configured to control all of the Diale^^ 

By operating in parallel, the present invention can accomplish very large scale scans 
in minimiun time/ A typical wardialer will get through 100 numbers per hour, per mode 
uses. In addition, most wardialers use only one modem. The present invention can use as 
many modems as the operating system will allow, and coordinates the scan among 
15 Dialers. In a scenario of a widely dispersed global company owning 3 milUon numbers, it 
. wo\ild take a typical wardialer about 30,000 hours. When the present invention is configured 
. wth 50 Dialers with 2 modems each, the scan would only take 300 hours to comple^^^ A 
system configured as depicted in figure 3 with 3 Dialers 306, 308, and SlOvnth 4 naodems 
300, 302, and 304 each, the scan would take 2500 ho^^ 
: 20 on time over the typical wardialer. V v .: 

The Managers also control logging the results of the Managers The 
logs include system service/performance as well as thei dialing results. Specifically, the log : 
files contain entries of all event messages. Configuration settings d^^ 
. logging fpr both service/perfornaahce and dialing results. In the distributed architecture, the 
25 centradtycontrolled Manager pushes the configi^ 

dialing applications. The reporting aspect also has the capability to report only "deltas" or . ^ 
changes from one scan to the next. This allows security personnel to execute monthly or 
bi-weekly scans and find out only what's c 

Figure 4 shows details of how the Manager functions an^ 
30 First, the Manager is installed and configured in module 400. The Manager then configures 
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the profiles and the Dialers in modtile 402. The levels of logging performed by the Dialers are 
configurable (i.e. informational, warning, critical, etcj by the user. , The Manager then sends 
sweep information to the Dialers in module 404. When the Managers task Dialers to perform 
dialing jobs, each job is traceable to the Manager that assigned that particular job. A 
5 decision is then made on whether to shutdown in module 406. If the shutdown instruction is 
entered, the Manager then restarts in module 510^ If the Manager is not to shutdown, the 
program then views the live results represented by module 408. Logs generated by Dieders 
are available for display in real time while dialing tasks are underway , Once the user 
finishes viewing the live results, the Manager returns to the user options in module 416. 
.10 Once the Manager is restarted, it then coiinects to known Dialers in module 412 and 

retrieves results in module 414. The Manager then gives the user three ojptions in module 
416. One of the options is to send sweep informatton represented by module 418. Another 
option is to view or compare the resldts represented by module 420. When the dia^^ 
are complete, the Manager consolidates results from all participating Dialers into a- single 
15 report. A third option is to configure profiles and/or the Dialers represented by module 422. 

The present invention also includes system service/performance logs. Logging system 
[ . . service/performance is a conmion feature of high-reliabilily products. It involves logging ■ 
service events and performance of hardware and software components to simplify 
troubleshooting and provide decision support. 
20 The present invention includes a dialing results log. Logging dialing results involves . 

recording coiDmunications details for realtime display and post-activity an^^ Details . 
: recorded indude, but are not limited to: 

- - Job Number . "r----' 

- Destination phone number 

25 : - Call type (voice, modem, fax) " ' ' 

- Job start d£ite-time group 

- Job end date-time group \ 
-Jobduration 

^ - Action(s) performed . . 

30 - Ifmodem or fEix is detected: 
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; - Name & type of application detected . ' 
> Type of vulnerability assessment performed, if any (Pa^^ 
V ; -Residtofvxilnerability assessment ; 

- Record the printing and non-printing characters in the b 
5 In order to assess organizational security posture, detailed visibility into the 

corporate data stream is necessary, This detailed visibility is provided by collectipn at the 
device level, reporting up the management chain, and consolidating multiple reports at the 
Manager. The present invention is capable of generating reports based on the results of its 
security sweeps on demand. Data reduction and collation is also supported to aid the 
10 security staff in their analysis of the current security posture and in detecting and 

characterizing trends in teleconcununicat^^ Since the present invention ccui be 

configured to be either a standalone (Manager and.Dialer on same platform), or as 
disixibuted system (Manager and Dialers on separate platforms), it also supports the 
capability for local report generation based only on the data gathered locally. The Manager 
1 5 also accepts, collates and sorts reports from midtiple Dialers to aid 
■ enterprise^wide security posture. : ' 

Security personnel require more than just a "snap shot" of the organization's current security, 
posture. Running several sweeps and then manually collating the vast amount of 
information to look for trends, is time consuming, difBcult and prone to human error. The 
20 preferred embodiment automatically collates the results from a series of sweeps over a period 
of time to be able to identify and analyze security trends. The results of trend analysis are 
then used to improve or reinforce organizational security policy. For instance, a lax security 
awareness environment in one department may manifest itself in a string of unauthorized 
modem detection events over a period of several months. This may necessitate further 
25 education or conwtive action by the security stafi^^ 

Now turning to figure 5, more details of the Dialers will be described. The Dialer 
starts with and installation and configuration represented by module 500. The Dialer then 
starts the Dialer process in module 502. The Dialer then has to accept a connection from the 
\\. Manager in module 504. In the preferred embodiment, the Dialer theii exchanges Ucensing /. 
30 information with the Manager in module 506. A variety of licensing schemes may be used in 
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order to ensure that the Manages and Dialers are properly licensed. In addition, since the 
Dialers and Managers may be remotely connected through the Internet, they may use 
encryption in order to secure communications. If so, a variety of encryption schemes can be 
used. The Dialer then receives commands from the Manager in module 508, and then 
5 determined whether there are results to send in module 510. If there are no results to send, 
the Dialer then returns to module 504 to accept Manager connections. If there are any 
results to send to the Manager, the Dialer then determines if there is a connection to send 
the resiilts to in module 512/ If not, the Dialer again returns back to module 504. K 
connection exists, then the Dialer sends the results to the appropriate Manager in module 

v-. / 10 514.. ' vV'"-; ; - 

Now turning to Figure 6, more details of the Dialer's functi^ 
Dialer first determines if there are any numbers to dial in modulis 600. From a logical flow 
perspective, the dialer remaiiis in an active diafing loop until 

particular profile have been dialed. At the start of the loop, the Dialer determines if there 
1 5 are more numbers left to dial, if so, it dials the next telephone num 

represented by module 602. If the Dialer receives a connection in module 604, the Dialer 
then tries to detect what type of system it is in module 606. If the Disder determines the 
connected system is a known system in module 608, the Dialer then attempts to penetrate 
the known system in module 610. The Dialer will log activity associated with each number, 
, 20 whether or not the Dialer was able to identify or penetrate the systeitl at the receiving end. 
Although illustrative embodiments of the invention have been sho 
. wide range of modification, change and substitution is intended in the foregoing disclosure 
; and in some instances some features of the present invention may be employed without a 
; corresponding use of the other features. Accordingly, it is appropriate that the appended 
25 claimsbe construedbroadly and in a manner coxisistent with the scope of the invention. . 
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1. A distributed system for identification of dialup access points into computer 
neiworks, the system copiprises:^ ^ ^ 

means ifor dialing a plurality of telephone numbers and logging results for each 
\.5. telephone number; • 

means for remotely managing the means for dialin and 
. means for reporting the results fo^ 

2. The system of claim 1 further including means for identification of the 

10 network access points by detecting Point to Point Protocol (PPP) and password guessing in , 
an attempt to gain access to the communications resource. 

3. The g^stem of claim 1 further including means for identification of the^ 
: ; network access points by detecting 

4. The system of claim 1 wherein the means for remotely managing the meaiis. . 
for disQing includes managing at least two mem^ 

5. Thefiystemofclaim4 wherein the at least two means for <fi^^ 
20 least two modems in each means for dialing. 

6. The system of claim 1 wherein the nieans for dieding 
numbers include dialing only local telephone numbers. 

25 : 7. The system of claiin 1 wherein the means for reporting includes means for 

. reporting chsmges in dialup access poin^^ 

- • ' 8. A method for identifying dialup access points into computer network^^ 
; / method comprises: V 

30 ■ dialing a plurality of telephone numbers and logging results for eac 
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-y' ."■ • ..number; ' : ' . 

remotely managing the dialing; and ^ , 
reporting the results for each telephone number. 

5 . 9. The method of claim 8 further including detecting Point to Point Protocol . 
• ^ (PPP) and password guessing in an attempt to gain access to the communications resour^^ 

10. The method of claim 8 further including detediing binary an 
■■ signatures..- 

^- \. 10 . . '^y^ . - '[;: " \ V-'.V 

. 11. The method of claim 8 wherein the remotely managing includes dialing at 

least two telephone numbers at the same time. 

12. The method of claim n wherein the dialing the at least two tete^ 
1 5 numbers includes dialing from at least two modems on one Dialer. 

13. Themethodof claim 8 wherein the dialing of a plurality of telephone hiunbers 
include dialing only local telephone ntmibers. 

20 14. The system of claim 8 wherein the reporting includes reporting changes in 

dialup access points since a previous scaii. ; . , T^-^^^. . : : 

15. A computer software system for identifying dialup access points into computer 
networks, the system comprises: 
25 <»mputer instructions for dialing a plurality of telephone 

V . V > for each tdephoneuuinber; 

computer instructions for remotely managing the dialing; and 
computer instructions for reporting the results for eac 
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: 16. 

. ; Point to Point Protocol (PPP) and password guessing in an attempt to gain access to the 
coininiuucations resource. 

5 17. ; The system of claim 15 further including computer instructions for detecting 

binary and^^ text signatures. 

. . 18. The system of claim 15 wherein the Gom^ 
managing includes computer instructions for dialing at least two telephone numbers at the . 
MO.;-', ^same time.^ ^ ; ''r--''\' r -^^''y': ^ 

19. The system of claim 18 wherein the' computer instnictionis for diahng t^^ 
least two telephone numbers includes computer instructions for dialing for at least two 
modems on one Dialer. ' ! ' 

:i5-: v " -.. " -■ "/ ' ' ■ ' . ' i ' ; ' 'V • ■ ■ ; . 

20. The system of claim 15 wherein the computer instructions for dialing a 
plurality of telephone numbers include computer instructions for dialing only local telephone 

'numbers. ' .' ■ 

20 21. The system of claim 15 wherein the computer instructions for reporting 

includes computer instructions for reporting changes in dialup access points since a previous 
scan. - ■- ^' 
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